VPNGoupCom Herkes çevrimiçi güvenlik ve gizlilik konusunda endişe ve kişisel bilgilerini ve tarama alışkanlıkları ortaya istemiyoruz, VPN harika bir çözüm.
Hi, I am Matt from Duo Protection.
During this online video, I am goingto teach you how to shield your Palo Alto GlobalProtect VPN gateway with Duo two-element authentication.
This software makes use of RADIUS and the Duo Authentication Proxy.
Ahead of observing this video, you should read the documentationfor this configuration at duo.
com/docs/paloalto.
Be aware that in addition to thisRADIUS-based configuration, You can even shield PaloAlto SSO logins with Duo.
Read about the optionsfor that configuration at duo.
com/docs/paloalto-sso.
Prior to creating this Duointegration with Palo Alto, you should have a Performing primaryauthentication configuration for the SSL VPN people, including LDAP authenticationto Energetic Directory.
To integrate Duo together with your Palo Alto VPN, you will have to installa nearby proxy support over a equipment in just your community.
Before proceeding, you shouldlocate or set up technique on which you'll installthe Duo Authentication Proxy.
The proxy supportsWindows and Linux devices.
Within this video clip, We're going to use aWindows Server 2016 technique.
Observe this Duo proxy server also functions as a RADIUS server.
There is no must deploya independent RADIUS server to work with Duo.
The Palo Alto system in thisvideo is jogging PAN-OS eight.
0.
6.
The instructions for installingDuo safety via RADIUS on products runningolder versions of PAN-OS differs somewhat from whatis revealed On this movie.
Reference the documentationfor more details.
On the method you are likely to install the Duo Authentication Proxy on, log in towards the Duo Admin Panel.
From the still left sidebar, navigate to Apps.
Click on Secure an Software.
From the research bar, kind palo alto.
Beside the entry for Palo Alto SSL VPN, click Shield this Software.
Note your integration vital, magic formula important, and API hostname.
You'll need these afterwards during set up.
Near the top on the web site, click on the url to open up the Duodocumentation for Palo Alto.
Up coming, put in the DuoAuthentication Proxy.
Within this movie, We're going to use a sixty four-bit Windows Server 2016 system.
We advocate a systemwith at the very least 1 CPU, two hundred megabytes of disk House, and 4 gigabytes of RAM.
Over the documentation page, navigate into the Install the DuoAuthentication Proxy area.
Click the connection to downloadthe most recent Edition of your proxy for Home windows.
Launch the installer within the server as a consumer with administrator rights and follow the on-monitor promptsto complete installation.
Following the set up completes, configure and start the proxy.
For that reasons of the video, we assume that you've got some familiarity with the elements which make upthe proxy configuration file and the way to format them.
Complete descriptionsof Every single of such aspects are available in the documentation.
The Duo AuthenticationProxy configuration file is named authproxy.
cfg and is found within the conf subdirectoryof the proxy set up.
Run a text editor likeWordPad as an administrator and open up the configuration file.
By default, the file is located in C:Software Files (x86) Duo Protection Authentication Proxyconf Because this can be a completelynew set up on the proxy, there will be instance contentin the configuration file.
Delete this material.
To start with, configure the proxy foryour Main authenticator.
For this instance, we willuse Energetic Listing.
Increase an [ad_client] area to the top of the configuration file.
Insert the host parameterand enter the host identify or IP address of one's area controller.
Then insert theservice_account_username parameter and enter the username ofa area member account which has authorization to bind toyour Advertisement and execute searches.
Subsequent, add theservice_account_password parameter and enter the password that corresponds towards the website username entered over.
Finally, incorporate the search_dn parameter and enter the LDAP distinguishedname of an AD container or organizational unit containing all of the usersyou would like to permit to log in.
Supplemental optionalvariables for this segment are explained from the documentation.
Up coming, configure the proxy for your personal Palo Alto GlobalProtect gateway.
Develop a [radius_server_auto] segment down below the [ad_client] portion.
Include The combination critical, solution essential, and API hostname out of your Palo Altoapplication's properties site from the Duo Admin Panel.
Increase the radius_ip_1 parameterand enter the IP address of your respective Palo Alto GlobalProtect VPN.
Beneath that, insert theradius_secret_1 parameter and enter a magic formula being shared among the proxy and your VPN.
Increase the shopper parameterand enter ad_client.
Palo Alto doesn't sendthe shopper IP address using the typical RADIUSattribute Calling-Station-ID.
A fresh RADIUS attributecontaining the customer IP deal with PaloAlto-Shopper-Supply-IP was introduced in PAN-OS version 7.
To send out the PaloAlto-Shopper-Supply-IPattribute to Duo, insert the client_ip_attrparameter and enter paloalto.
Added optional variables for this [radius_server_auto] part are described while in the documentation.
Conserve your configuration file.
Open up an administratorcommand prompt and run net start DuoAuthProxy tostart the proxy company.
Following, configure your PaloAlto GlobalProtect gateway.
Initially, We'll incorporate the Duo RADIUS server.
Log in towards the Palo Altoadministrative interface.
Click the System tab.
While in the left sidebar, navigateto Server Profiles, RADIUS.
Click on the Increase button to adda new RADIUS server profile.
Inside the name subject, enter Duo RADIUS.
Boost the timeout to not less than 30.
We recommend making use of 60 For anyone who is using drive or cell phone authentication, so We are going to use 60 in this instance.
From the dropdown for authenticationprotocol, pick PAP.
Within the Servers section, click on Add.
Inside the Name subject, enter Duo RADIUS.
Inside the RADIUS Serverfield, enter the hostname or IP address of yourDuo Authentication Proxy.
In The trick field, enterthe RADIUS shared key used in the authenticationproxy configuration.
Depart or established the port to 1812, as that's the default used by the proxy.
In case you utilised a different port in the course of your Authentication Proxy set up, be sure to use that in this article.
Click OK to save the newRADIUS server profile.
Now incorporate an authentication profile.
While in the remaining sidebar.
Navigateto Authentication Profile.
Click the Incorporate button.
During the Name industry, enter Duo.
In the kind dropdown, pick RADIUS.
Within the Server Profiledropdown, decide on Duo RADIUS.
Dependant upon how your userslog in to GlobalProtect, you might require to enter yourauthentication area name within the Consumer Area subject.
This is certainly utilized in conjunction with the Username Modifier area.
In case the Username Modifieris left blank or is about to %USERINPUT%, then theuser's enter is unmodified.
It is possible to prepend or appendthe price of %USERDOMAIN% to preconfigure the username enter.
Learn more about the two of this stuff in the GlobalProtect documentation hosted on Palo Alto's Web page, which is joined inside the Duo documentation.
Click on the Highly developed tab and click on Incorporate.
Choose the All group.
Simply click Alright to avoid wasting theauthentication profile.
Future, configure yourGlobalProtect gateway options.
During the Palo Alto administrative interface, click on the Network tab.
Inside the still left sidebar, navigateto GlobalProtect, Gateways.
Choose your configuredGlobalProtect gateway.
Click on the Authentication tab.
From the entry for yourClient Authentication inside the Authentication Profile dropdown, decide on the Duo authenticationprofile you produced earlier.
If You aren't usingauthentication override cookies with your GlobalProtect gateway, you might want to enable them to minimize Duo authentication requests at customer reconnectionduring one particular gateway session.
You may need a certificateto use with the cookie.
Click the Agent tab.
Simply click the Client Configurations tab.
Click on the identify of yourconfiguration to open up it.
On the Authentication Override tab, Check out the boxes togenerate and take cookies for authentication override.
Enter a Cookie Lifetime.
In this example, we will use eight several hours.
Select a certificateto use Together with the cookie.
Simply click OK after which click Alright once more to avoid wasting your gateway settings.
Now configure your portal configurations.
In the event the GlobalProtect portal is configured for Duo two-factor authentication, people might have to authenticate 2 times when connecting to theGlobalProtect gateway agent.
For the most beneficial user encounter, Duo suggests leavingyour GlobalProtect portal set to work with LDAP orKerberos authentication.
If you do incorporate Duo to yourGlobalProtect portal, we also endorse that you just help cookies for authentication override with your portal to stay away from numerous Duoprompts for authentication when connecting.
In the Palo Alto administrative interface, from your Community tab, navigateto GlobalProtect, Portal.
Click on your configured profile.
Click the Authentication tab.
Within the entry for yourclient authentication, from the Authentication Profile dropdown, pick out the Duo authentication profile you configured before.
Click on the Agent tab.
Click the entry on your configuration.
On the Authentication tab, from the Authentication Override portion, Verify the boxes togenerate and settle for cookies for authentication override.
Enter a Cookie Life span.
In this example, we will use eight several hours.
Pick a certificateto use With all the cookie.
Click on OK after which click Alright once more to avoid wasting your gateway options.
To produce your modifications get influence, simply click the Dedicate buttonin the upper-right corner from the Palo Alto administrative interface.
Assessment your changesand simply click Dedicate yet again.
Now end configuringyour Palo Alto system to send out the customer IP to Duo.
Connect with the Palo Altodevice administration shell.
Using the command fromstep among the list of consumer IP reporting section of your Duofor Palo Alto documentation, empower sending the PaloAlto consumer resource IP shopper IP attribute.
Just after installing and configuring Duo on your Palo Alto GlobalProtectVPN, exam your setup.
Utilizing a username thathas been enrolled in Duo and that has activatedthe Duo Cell application on the smartphone, attemptto connect with your VPN along with your GlobalProtect gateway agent.
You'll get an automaticpush within the Duo Cell application on the smartphone.
Open up the notification, checkthe contextual facts to substantiate the login is respectable, approve it, therefore you are logged in.
Observe which you can alsoappend a type component to the top of yourpassword when logging in to make use of a passcode or manually choose a two-factorauthentication system.
Reference the documentationfor more details.
You may have correctly set up Duo in your Palo Alto GlobalProtect gateway.